Don't assume that idn_to_ascii does validation.

Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2025-07-31 19:30:21 +02:00 · 2016-10-27 01:36:08 -07:00
parent dc8702160c
commit 3ba9133b21
1 changed files with 5 additions and 4 deletions
--- a/library/HTMLPurifier/AttrDef/URI/Host.php
+++ b/library/HTMLPurifier/AttrDef/URI/Host.php
@@ -97,7 +97,7 @@ class HTMLPurifier_AttrDef_URI_Host extends HTMLPurifier_AttrDef

        // PHP 5.3 and later support this functionality natively
        if (function_exists('idn_to_ascii')) {
-            return idn_to_ascii($string);
+            $string = idn_to_ascii($string);

        // If we have Net_IDNA2 support, we can support IRIs by
        // punycoding them. (This is the most portable thing to do,
@@ -123,13 +123,14 @@ class HTMLPurifier_AttrDef_URI_Host extends HTMLPurifier_AttrDef
                    }
                }
                $string = implode('.', $new_parts);
-                if (preg_match("/^($domainlabel\.)*$toplabel\.?$/i", $string)) {
-                    return $string;
-                }
            } catch (Exception $e) {
                // XXX error reporting
            }
        }
+        // Try again
+        if (preg_match("/^($domainlabel\.)*$toplabel\.?$/i", $string)) {
+            return $string;
+        }
        return false;
    }
 }